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Application No. 
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Examiner 


Art Unit 






CHRISTOPHER J. BROWN 


2439 





~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 
All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1 308. 

1 . This communication is responsive to 8/24/2010 . 

2. ^ The allowed claim(s) is/are 1-18.20 and 21 . 

3. □ Acknowledgment is madeof a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) □ All b) □ Some* c) □ None of the: 

1 . □ Certified copies of the priority documents have been received. 

2. □ Certified copies of the priority documents have been received in Application No. . 

3. □ Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1 ) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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□ Notice of Informal Patent Application 


2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 
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Paper No./Mail Date . 


3. □ Information Disclosure Statements (PTO/SB/08), 


7. 


M Examiner's Amendment/Comment 


Paper No./Mail Date 






4. □ Examiner's Comment Regarding Requirement for Deposit 


8. 


□ Examiner's Statement of Reasons for Allowance 


of Biological Material 
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□ Other . 
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Primary Examiner, Art Unit 2439 
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EXAMINER'S AMENDMENT 



An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1 .3 12. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Wes Austin on 10/27/2010. 
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REPLACE the current claims with the following: 

1 . A computer program embodied in a non-transitory computer-readable medium for scamiing a 
computer for observer programs, the computer program comprising: 

observer data comprising a plurality of observer program characteristics descriptive of a 
plurality of observer programs where the observer programs are programmed to 
observe activities on a computer system and to create log data, and wherein the log 
data includes screen shots, program usage and web sites visited; 

reading instructions that read memory of the computer to obtain memory data; 

comparing instructions that compare the plurality of observer program characteristics with 
memory data characteristics to determine whether an observer program is present on 
the computer; 

generating instructions that generate results from the comparing, wherein the results 
generated indicate whether the observer program is present on the computer; 
countermeasure instructions that alter the operation of the observer program; 
outputting instructions that provide the results through a graphical user interface and that 
prompt as to whether the countermeasure instructions should be executed, wherein 
the countermeasure instructions are executable to (1) temporarily disable the observer 
program, (2) permanently disable the observer program, and (3) create decoy 
observer created data but wherein the observer program continues running; 
disabling instructions to disable the observer program if it is present on the computer, the 
disabling instructions implementing a method comprising: 

entering a startup command to load a kill program before the observer 

program is started; 
rebooting the computer; 

starting the kill program by execution of the startup command; and 
deleting an observer program startup command so that the observer program 
is not started. 
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2. The computer program of claim 1 wherein the memory data includes startup commands. 

3. The computer program of claim 1 wherein the memory data includes registry startup 

commands. 

4. The computer program of claim 1 wherein the plurality of observer program characteristics 

includes observer import table data and wherein the comparing instructions compare 
memory import table data from the memory data characteristics with the observer import 
table data to determine whether an observer program is present on the computer. 

5. The computer program of claim 1 wherein the plurality of observer program characteristics 

includes observer export table data and wherein the comparing instructions compare 
memory export table data from the memory data characteristics with the observer export 
table data to determine whether an observer program is present on the computer. 

6. The computer program of claim 1 wherein the plurality of observer program characteristics 

includes observer resource data and wherein the comparing instructions compare memory 
resource data from the memory data characteristics with the observer resource data to 
determine whether an observer program is present on the computer. 

7. The computer program of claim 1 wherein the plurality of observer program characteristics 

includes observer file content data and wherein the comparing instructions compare 
memory file content data from the memory data characteristics with the observer file 
content data to determine whether an observer program is present on the computer. 

8. The computer program of claim 7 wherein the comparing instructions compare the observer 

file content data with the memory file content data at an offset address. 



9. The computer program of claim 7 wherein the comparing instructions compare the observer 
file content data with a span of the memory file content identified by an offset address. 
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10. The computer program of claim 1 wherein the plurality of observer program characteristics 

includes observer module loading data and wherein the comparing instructions compare 
memory module loading data from the memory data characteristics with the observer 
module loading data to determine whether an observer program is present on the 
computer. 

1 1 . The computer program of claim 1 wherein the plurality of observer program characteristics 

includes OS observing functions and wherein the comparing instructions compare 
memory functions from the memory data characteristics with the OS observing functions 
to determine whether an observer program is present on the computer. 

12. The computer program of claim 1 wherein the memory data includes explorer extension 

data. 

13. The computer program of claim 1 wherein the memory data includes file use information. 

14. The computer program of claim 1 wherein the memory data includes process information. 

15. The computer program of claim 1 wherein the memory data includes running process 

information. 

16. The computer program of claim 1 wherein the memory data includes loaded modules 

information. 

17. The computer program of claim 1 wherein the memory data includes driver data. 

18. The computer program of claim 1 wherein the memory data includes kemel driver data. 



19. (Canceled) 



Application/Control Number: 10/027,714 
Art Unit: 2439 



Page 6 



20. The computer program of claim [[19]] 1 wherein the method further comprises deleting 

observer program files. 

21 . A method embodied in a non-transitory computer-readable medium for scanning a computer 
for observer programs, the method comprising: 

using observer data comprising a plurality of observer program characteristics descriptive of 
a plurality of observer programs where the observer programs are programmed to 
observe activities on a computer system and to create log data, and wherein the log 
data includes screen shots, program usage and web sites visited; 

reading memory of the computer to obtain memory data; 

comparing the plurality of observer program characteristics with memory data characteristics 
to determine whether an observer program is present on the computer; 

generating results from the comparing, wherein the results generated indicate whether the 
observer program is present on the computer; 

outputting the results through a graphical user interface; and 

prompting the user as to whether countermeasure instructions should be executed, wherein 

the countermeasure instructions are executable to (1) temporarily disable the observer 
program, (2) permanently disable the observer program, and (3) create decoy 
observer created data but wherein the observer program continues running; 
disabling instructions to disable the observer program if it is present on the computer, the 
disabling instructions implementing a method comprising: 

entering a startup command to load a kill program before the observer 

program is started; 
rebooting the computer; 

starting the kill program by execution of the startup command; and 
deleting an observer program startup command so that the observer program 
is not started. 
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22-34. (Canceled) 

Allowable Subject Matter 
Claims 1-18, 20-21 allowed. Claims are allowable over the current art of record due to 
applicants amendments and persuasive arguments. Claim limitations are enough that motivation 
to combine would not have been sufficient. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CHRISTOPHER J. BROWN whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Edan Orgad can be reached on (571)272-7884. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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